In Ubuntu 11.04 I could mount a file system in /media/foo and run chown guest:guest /media/foo/bar -R and have full access in the guest account. After the upgrade to 12.04 I changed my routine to reflect the new guest usernames (chown guest[id]:guest[id] /media/foo/bar -R) but I still can't access it as a guest user, as I don't have access privileges to /media as guest:
ls: cannot open directory /media: Permission denied
(Very interestingly this does work if I su into the guest account as root). I understand this is meant as a security measure but I don't see how it is done. ls -l / reports
drwxr-xr-x 11 root root 4096 Sep 9 22:28 media
Thus my two questions: How does this restriction work and how can I access a mounted file system as a guest user, ideally without allowing access to all of the other mounted file systems?
Best Answer
Access to
/mediais restricted by the AppArmor profile/etc/apparmor.d/lightdm-guest-session. There are two exceptions (lines 31 and 32):That allows access if
/media/foois owned by guest[id], which is the first alternative to solve my problem. The downside is that the guest account can create arbitrary directories and files in the root of /media/foo. I decided to explicitly poke a hole for/media/foo/barand added the lines:A description of the syntax can be found here: http://doc.opensuse.org/documentation/html/openSUSE/opensuse-security/cha.apparmor.profiles.html
To the best of my knowledge this only allows the guest session to access
/media/foo/barand only if guest[id] is the owner ofbar. Note that guest[id] still cannot access/media/fooitself. Thusls /media/foowill fail, butls /media/foo/barworks.Lastly reload the profile for the changes to take effect: